| ▲ | Active Supply Chain Attack on axios 1.14.1 | |
| 16 points by lemax 11 hours ago | 1 comments | ||
axios@1.14.1, published 2026-03-31, introduces a new dependency plain-crypto-js@4.2.1 that was not present in axios@1.14.0. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload. Evidence axios@1.14.0 dependencies: follow-redirects, form-data, proxy-from-env (3 deps) axios@1.14.1 dependencies: same 3 + plain-crypto-js (new, not in any prior axios version) plain-crypto-js has "postinstall": "node setup.js" in its scripts setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself | ||
| ▲ | nullbyte 9 hours ago | parent [-] | |
npm security team has removed the offending package: https://github.com/axios/axios/issues/10604#issuecomment-415... new installs should be safe now | ||